Enter the Schedule for the report.
You can select a predefined Schedule for your report, or you can define a custom schedule using standard cron notation.

Enter the Time range for the report.Time range is the time range for which the report collects data. It defaults to the time range that you have set for the report. Specify a new time range to override the default.

(Optional) Select a Schedule Priority for the report.
Use Schedule Priority to raise the scheduling priority of this search. Use with discretion. Only roles with the edit_search_schedule_priority capability can see Schedule Priority or set it to a value other than Default.

(Optional) Select a Schedule Window for the report to run within.
When there are many scheduled reports set to run concurrently, you can set Schedule Window to specify how long the report scheduler can defer this report and cause it to yield to higher-importance reports. Only roles with the edit_search_schedule_window capability can see Schedule Window or set it to a value other than No Window.

If you have Splunk Enterprise, you can also configure report email actions in the alert_actions.conf or savedsearches.conf configuration files. Use alert_actions.conf to configure global properties. Use savedsearches.conf to configure individual reports. See Configure alerts in savedsearches.conf in the Alerting Manual.

Use tokens in scheduled report email subjects and bodies

A token is a type of variable that represents data generated by a search job. Splunk Enterprise provides various tokens that you can use to include information generated by a search in the fields of an email. For scheduled report delivery, you can use tokens in the following fields of an email:

Subject

Message

Footer

Access the value of a token with the following syntax:

$<token-name>$

For example, place the following token in the subject field of a scheduled report delivery to reference the app containing the report.

Search results from $app$

Tokens available for email notifications

This section lists common tokens you can use in scheduled email delivery of reports. There are four categories of tokens that access data generated from a search. The context for using the tokens differ.

The following table lists all categories of tokens. Tokens from all categories are available for scheduling report delivery.

In addition to the common tokens listed in this topic, the savedsearches.conf and alert_actions.conf files list attributes whose values are available from tokens. To access these additional attribute values, place the attribute between the $ token delimiters.

Tokens that access search metadata

Common tokens that access information about a search. These tokens are available from the following contexts:

Indicates if the search is from an alert, report, view, or the search command.

$view_link$

Link to view the saved report.

$alert.severity$

Severity level of the alert.

$alert.expires$

Time the alert expires.

Tokens available from results

From results, you use the result.<fieldname> token to access the first value of a specified field in search results. This token is available from the following contexts:

Alert actions

Scheduled reports

Token

Description

$result.fieldname$

Returns the first value for the specified field name from the first result in the search. The field name must be present in the search.

Tokens that access job information

Common tokens that access data specific to a search job, such as the search ID or messages generated by the search job. These tokens are available from the following contexts:

Alert actions

Scheduled reports

Token

Description

$job.earliestTime$

Initial time a search job starts.

$job.eventSearch$

Subset of the search that contains the part of the search before any transforming commands.

$job.latestTime$

Latest time recorded for the search job.

$job.messages$

List of error and debug messages generated by the search job.

$job.resultCount$

Number of results returned by the search job.

$job.runDuration$

Time, in seconds, that the search took to complete.

$job.sid$

Search ID.

$job.label$

Name given to the search job.

Tokens available from server

Common tokens that provide details about your Splunk deployment. These tokens are available for the scheduled PDF delivery of dashboards.

The following table lists some of the common tokens that are available.

Token

Description

$server.build$

Build number of the Splunk software.

$server.serverName$

Server name hosting the Splunk deployment.

$server.version$

Version number of the Splunk deployment.

Deprecated email notification tokens

The following tokens from prior releases of Splunk software are deprecated.

Token

Description

$results.count$

(Deprecated) Use $job.resultCount$.

$results.url$

(Deprecated) Use $results_link$.

$results.file$

(Deprecated) No equivalent available.

$search_id$

(Deprecated) Use $job.id$.

Run a Script action example

You can set up a Run a Script action that sends results of the report to an external system each time it runs. It does this by running a script that calls an API that sends the report results to the external system.

For security reasons, place all scripts in either of the following locations of your Splunk Enterprise instance:

$SPLUNK_HOME/bin/scripts

$SPLUNK_HOME/etc/<AppName>/bin/scripts

You can also configure running a scheduled report script with a shell script or batch file. Make this configuration in the savedsearches.conf configuration file. See Configure scripted alerts in the Alerting Manual.

On the report detail page, select Schedule this search to open up the scheduling and alerting options for the report.

Select a Schedule type.

Option

Description

Basic

Lets you select a preset schedule period from a list, such as Run every 5 minutes or Run every day at midnight.

Cron

Lets you define a custom schedule period using standard cron notation.

(Optional) Select a Schedule Window for the report to run within.
When there are many scheduled reports set to run concurrently, you can set Schedule Window to specify how long the report scheduler can defer this report and cause it to yield to higher-priority reports. Only roles with the edit_search_schedule_window capability can see Schedule Window or set it to a value other than No Window.

(Optional) Select a Schedule Priority for the report.
Use Schedule Priority to raise the scheduling priority of this search. Use with discretion. Only roles with the edit_search_schedule_priority capability can see Schedule Priority or set it to a value other than Default.

To make the report behave like a report that has been scheduled with the Edit Schedule dialog, set the alert Condition to Always.
This ensures that the alert actions you define are performed each time Splunk Enterprise runs the report.

Set Alert mode to Once per search.
Do not activate Throttling for scheduled reports. Do not set Expiration and Severity for scheduled reports.

(Optional) Define the alert actions required for your scheduled report. Do not define alert actions for a scheduled report that runs in real-time.

(Optional) Select Summary Indexing if you want the scheduled search to populate data into a summary index.
See the documentation of the summary indexing functionality to learn more about these settings. You do not need to set up summary indexing for searches that already benefit from report acceleration.

Click Save to save your changes.

Create scheduled real-time reports for dashboards

Use scheduled real-time reports when you want your dashboards to display incoming data in real time. You can create scheduled real-time reports in Settings.

When you use unscheduled real-time reports for dashboard panels, they relaunch each time the dashboard is loaded by a user. If several users load the same dashboard you can quickly reach the real-time concurrent search limit for your Splunk implementation. After you reach this limit, you cannot launch more real-time reports.

Manage this by backing dashboard panels with scheduled real-time searches. Scheduled real-time reports begin running when you create them. When a user loads a dashboard with panels that use scheduled real-time searches, those panels just display the results of the real-time reports already in progress. New real-time reports are not launched.

Enable others to access a scheduled report

If you have a role that gives you write access to the knowledge objects in your app (such as the Power or Admin roles), you can set or change the report permissions so it is available to other Splunk users at an app or global level. See Set report permissions, in this manual.

Manage the priority of concurrently scheduled reports

Depending on how you configure your Splunk deployment, you might be able to run only one scheduled report at a time. Under this restriction, when you schedule multiple reports to run at approximately the same time, the Splunk search scheduler works to ensure that all of your scheduled reports get run consecutively for the period of time over which they are supposed to gather data. However, there are cases where you may need to have certain reports run ahead of others in order to ensure that current data is obtained, or to ensure that gaps in data collection do not occur (depending on your needs).

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »